Home

Internal

Global

Contact

de|en|it

Rödl & Partner Italy advises LCF Alliance on 95 million financing with Societe Generale and BayernLB |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

AI and Data Protection: Italy’s legislative approach

published on 22 July 2025 | reading time approx. 3 minutes

As artificial intelligence reshapes the regulatory landscape across Europe, Italy is taking deliberate steps to define a national legal framework that balances innovation with fundamental rights. The Disegno di Legge sull’Intelligenza Artificiale (“AI Bill” or “Bill”), now in its final parliamentary stage, introduces substantial updates to the Italian legal system. Most notably, it integrates AI governance into the Italian Privacy Code (Legislative Decree no. 196/2003, as amended, also “Codice Privacy”), reinforcing the GDPR’s core principles while providing much-needed clarity on the processing of personal data in AI contexts.

The AI Bill introduces relevant data protection provisions to change the Italian Privacy Code, to address risks emerging from algorithmic decision-making. These amendments are intended to apply both horizontally (across all AI systems involving personal data) and vertically (targeting high-risk systems, especially in public administration, healthcare and finance).

These measures reflect an effort to operationalize GDPR principles within AI system development and deployment, rather than rely solely on abstract risk frameworks.

More specifically, regarding the personal data processing of special categories of data, the Bill, as currently drafted, seems to authorize the processing and the secondary use of health data for scientific research and purposes, in the context of AI systems, provided that such data subjects are not identifiable anymore and under the legal basis of art. 9, para 2. litt g) GDPR. Moreover, such data can be anonymized, pseudonymized or synthetized on the relevant public interest legal basis.

This implies that also amendments to the Italian Codice Privacy shall be made.

Moreover, and in general, personal data processing of minors on AI systems is only allowed with the prior consent of parents (in case of minors of 14 years old) or the consent of the subjects older than 14 years old. Indeed, the Italian privacy legislation sets for the age limit for children at 14 years old, despite the 16 years of the GDPR.

Italy’s AI Bill is a clear example of how national legislators can integrate AI governance into existing data protection structures, rather than treating them as separate regimes.

Pending final Senate approval, the AI Bill will serve as a foundational statute that elevates data protection as a cornerstone of AI accountability in Italy.

The Bill focuses also on other regulatory aspects of AI use, than data protection. More specifically: AI in the administration of justice; AI and IP; AI and criminal liability; AI and finance; AI and healthcare.

This means that Italy is taking a various approach to better address the provisions of the European AI Act Regulation and the existing provisions on crucial industries.

The final vote will be provided soon by the Senate.